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ohff? //cbtsf 


Report Date; 10 Oc t 96 
Name: 

C ommana^varTous 
Phone (COMM): 

Phone (D SN): 

E-Mail: 'Srock.Mines.EDU 

Type: origi nal report 

IP: HHHHHH? 

Victim IP: 

Port/Service: telnet port 23 (sendmail) 

Incident Date: 07 Oct 96 

NCIS Case #t 

Case Status: closed 




FromflHB&rock.Mines.EDUThu Oct 10 15:54:54 1996 
Date: Thu, 10 Oct 1996 13:22:50 -0600 
From: Mp&rock. Mines.EDU> 

To: navcirtOfiwcTna^Tmil 

Subj ect: baby_doe. mines. edu probes 

Hi Folks - 

Well, barf, it looks like my message was truncated. So, I'll 
try again. 

We have a system here (baby^doe,mines.edu_ that had root compromised 
and went on a search mission for other systems. We've gotten several 
responses from those that were probed for potential entry points and 
I'm sure that you've seen some of those or will be contacted by others 
about them. The probes occurred between -8:30pm MDT on 10/7/96 
and -6:30am MDT on 10/8/96. The lair has been tracked down and 
we have the logs, software, and target names of the probe. It looks 
like it mostly probed for the following: 

SMTP - vrfy guest, decode, bbs, lp, decode, uudecode, ma^ordorn 
o 

enter debug & wiz 
FTP availability 

RPC:ypserv, mount, name, boot, selec, rexd, rusers, ypupdated, 
pcnfsd, rstatd, ypbind, keyBerv 
HTTPDi cgi 
NFS: mounts 
POPPER: 

It mostly looked like it was looking for entries rather than exploitin 
g 

them at this time. We have tried to cleanse the machine, but are unsu 
re 
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how they got in. We do know that they replaced login, natstat, ifconf 

ig# 

and ps once they were in. We are currently filtering packets destined 
for 

that machine (and a cohort machine) from the the Internet. Hopefully, 
this 

will put a bandaid on everything until we can deal with it. 

It appears that the bre&kin came from We have some 

droppings pointing at this - an ftp log f or a non-existent user. I am 
including a mail message fromflHB||HBp who is doing most of the 
scouting around for evidence. In addition, 

I am including the list of sites that were probed. The names look lik 
e 

security people to- us (some mail list?) since several of the targeted 
people were those who actually sent mail to us saying that they were p 
robed. 

We intend to send a message to all those on the list saying that their 
site 

was on the list. In addition, we can, if you think advisable, send th 
a 

result of the probe. We would welcome any advice that you would like 
to 

send our way. In addition, if we can help you, please let us know how 


Thanks - 



ssssasssaaiaBass=s===========ssss3sasxBain 


Mail message from. 


•>From 
Date: 
From: 
Message 
To: 

Cc: 

Sub 
Reply-To: 



:====SSB31 

basalt.Mines.EDU Wed Oct 9 15:11:53 1996 
Oct 1996 1 5:06:58 -0600 

,Mftbasa 11. Mines. EDU> 

<19 9 5TUU52 lffSTraxTO 4 69 Gbasal t. Mines. EDU> 
slate.Mines.EDU 
slate.Mines.EDU 
acker 


Ids late. Mines. EDU> 




There is a core fi.e in baby_doe:/var/spe d/inqueue K at was dumped 
during the hack on baby_doe. In it there appears t v following name: 


rdcyber space. org 


I fingered same, and he happened to be logged on at that moment from 


143.53.38.51 
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I did an nslookup on the latter, and it was 

fac.uk 


which is the site that showed up as an ftp just prior to the 

of the nest, and captured in the hacked login's logfile.dat as several 

logins during the hack. • 


X think this'is our hacker. 



details begin 


baby_doe% pwd 
/var / spool/mqueue 
baby_doe% Is -1 core 
-rw-r--r-- 1 root 


8507824 Oct 


7 20:40 core 


slatel56> finger alanl@cyberspace.org 
[cyberspace.org] 

Login: alanl 
Directory: /u 
On since Wed 
No unread mail 
No Plan. 


6:46 (EST) on ttyq8 


slate!60> naloo 
Name: 

Address: 



143.53.38.51 
\ ac.uk 


Name: ABBHHf 
Shellr /hin/csn 
from 143.53.38.51 

&c 


slatel64> nslookup cyberspace.com 
Name: cybersp ace.co m 

Address: 


On baby__doe, "strings /var/ spool/mqueue/core - ends with (PWD was the n 
est) : 

baby_doe. mines. edu. mines. edu 
3 end-mail 

alanlScyberspace.org 
HOMEa/ 

LOGNAME* 

PATH®/usr/local/bin:/bin:/usr/bin:/usr/ucb:/etc:/usr/etc:. 
PWD*/usr/include/rpc/.. /scan 
SHELLS/bin/csh 
TERM=vtl02 
USER= 
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anubis.network.com 
sctc.com 
■andy.alt.za 
cs.hmc.edu 

_‘muddcs. cs. hmc. edu 

poling0jhu.edu 
•bigdog.fred.net 
btc.uwe.ac.uk 
‘xnaine. edu 
‘pm. co. at 
basis.com 
aros.nat 

gorgan.mti.sgi.com 
baxterSaaii.oz.au 
iacs.UMD.EDU 
IS.CAM.AC.UK 
@inf.ethz.ch 
cain.kaist.ac.kr 
•reseau.nl 
support.psi.com 
_ rcg.edu 
, gb.swiasbank.com 
chewy.wookie.net 
‘znersinet.co.uk 
_ lorien.ocf.llnl.gov 
‘netznaine. com 
^ ‘primua.COM 
cs.albany.edu 
cs.albany.edu 
^cc.ece.ntua.gr 
r astro. Colorado. EDU 
tis.com 

eckman.uiuc.edu 
‘ph-meter. beckman. uiuc. edu 
YKnet.YK.CA 
eis.calstate.edu 
r cs.utk.edu 
iimitllO.com 
‘umbc. edu 

Salydar.crd.ge.com 
‘grymoire. crd, ge. com 
grymoire. crd. ge. com 
Slath.psu.edu 
‘pop.psu.edu 

transformers.labs.gmu.edu 

1 ualberta.ca 
aco.COM 
aco.com 

•haven. boa ton .ma.ua 
snm. com 

cosmos.kaist.ac.kr 
d. sbi.com 
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p9morgan.com 
I ^connect. com. au 

■|®MiSTy. lore. nasa. gov 
B@misty, larc.nasa.gov 
fcjgcsuarad.cs.vt.edu 
Igpussenterpr ise, async. vt. edu 
pSgaSriel.resudox.net 

■Bbltblt.resnet.Cornell.edu 
BOcyberc om.net 
fcOhpnmc ldg. cup .hp.com 
tpeyberspace. net 
yBWffnet 

■Mfpt com 

Bawadi .com.au 
Bawadi. com. au 

B9isi.edu 
Bterebase. com 
■Riobbes. dtcc. edu 
Bunix. worldcom. com 
■Htfsctc. com 
JWro rian. use. edu. ph 
^3 d elta. eec s. nwu. edu 
■Bboutell. com 
BjSNETSPACE. 0R6 
Htopsun. west. sun. com 
Bailes. greatcircle. com 
BOmiles.greatcircle.com 
'preal. com 
BOreal.com 
‘5sccsi.com 
; /0tta. com 
B@cse. uese. edu 
■pjhu.edu 
Bfcsaturn. net 
Bowimsey. com 

BpMATH. Ucdavis. EDU 
B3turing.ucdavis.edu 
icyBerf lunk. com 
Icyberflunk.semaphore.com 

K caf e. kaist, ac. kr 
O32600.com 
J-owner 3 fc.net 
ilefty.novasys.Com 
0@cica.es 
Brochester. edu 

mg. ac.be 

cclabs.missouri,edu 
ab.missouri.edu 
-bsu.cam.ac.uk 
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lcisco.com 
r Hehman.com 
L91ehman.com 
Jsharks. kylmedia. f i 
JHolland. Sian. COM 
ifwi.uva.nl 
J fwi.uva.nl 
Jholland.Sun.COM 
Jhol land.sun.com 
JStarbase.NeoSoft.COM 
Janjura.com 
Jucl.ac.uk 
Jalt. net 

Jsobrino.eui.upm.es 
Jcclabs.missouri.edu 
Jeverest.cclabs.missouri.edu 
Jsgi2.phlab.missouri.edu 
r foath.ac.uk 

igu2 Ocdcnet. uniandes. edu. co 
fSSDS.com 
J9ssds.com 

Jgauss. ELEE .CalPoly.EDU 
Jgauss.ELEE.CalPoly.EDU 
Jgauss.elee.calpoly.edu 
Jcert.org 

lemory.e* 

Jio.com 

Jsurrey.ac.uk 
Jlum.sparc.com 
Jlum.sparc.com 
JCOM. CRIMELAB 
JCRIMELAB.COM 
Jcrixnelab. com 
Jcrimelab.crimelab.com 
Lsisph.com 
J9helix.net 
Jisis.isisph.com 
f9platf orm, com 
Jr iver s. dra. hmg. gb 
Jr ivers. dra. hmg. gb 
Jtaxipico. cso. uiuc. edu 
Jwastnet. com 
iwhi tman. gxnu. edu 
i9sco.com 

Jcheetah. llnl. gov 
Jelwha. evergreen, edu 
lsummit.novell.com 
Jloiosh.kei.com 
Jiss.net 
Jshadow.net 
Jshadow.net Subject 

.9cling.gu.se 
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Ippwsl2 .plk. af.mil 
Jppwsl2 .plk. af.mil 
5r andx. cs. ohiou. edu 
Imillenniumcc. com 
Iclipper.. cb. att. com 
Ler. net 

litchy.inner.net 
)itchy. inner. net 
Iministry-of-love. inner. net 
Itecnetl.jcte.jcs.mil 
:tic.nl 
Inervosa.com 
^ lmsmary.edu 
Jleol.net 

Ipublix. empath. on. ca 
_leek. llnl.gov 
lmit.edu 
fen&th. psu.edu 

iunet.uu.net 
} student. uq. edu. au 
rscitsc.wlv.ac.uk 
t@rs6000. citp. ilstu.edu 
, fgov.bc.ca 
loolnet. carleton. ca 
5tanford.EDU 
.t. 5cth.se 
lalantec.com 
..AC.UK 

fozonline.com. au 
Irpi. edu 

_Ipluto. ulcc .ac.uk 

berserkly.Cray.com 

_ ikillerbee.jsc.nasa.gov 

dan.com 

pasteur.fr 

ixniriworld. its. unimelb. EDU, AU 
protocol. ece. iisc. emet. in 
ans. net 

sandia.gov 

teleport.comSsage.cc.rl.ac.ukZzZ 
TELZPORT.COM 
teleport.com 
.COM.AU 
esi.com.au 
fgh.oz.au 

kachina. j etcaf e. org 

tis.com 

tis.com 

wanda. phi. pond. com 
escape.com 
Qandrew. emu. edu 



t>Ce» 
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.umbc.edu 
•shorn. fr 

r Jcogs.suax.ac.uk 
iphoenix. Princeton. EDU 
Ivnet. ibm.com 
is, berkeley.edu 

Iphoenix. Princeton.EDU 
rr90 0.physics.usyd.edu.au 
Jpacs tar, coxn.au 

^MO.NET 

!on. chem. yale. edu 
Edcarleton.edu 
ITymnet . COM 
ltelecom.ksu.edu 
.CTD.ORNL.GOV 
r CTD.ORNL.GOV 
issat.dassault-at.fr 
Ibconnex.net 
„ Jcybersafe.com 
fdsickly.cybersafe.com 
Jcity.ac.uk 
Jparis.eng.utsa.edu 
*hcs.HARVARD.EDU 
r >hcs.harvard.edu 
:artarus.uwa.edu. au 
Iconga. super. unam. mx 

_i. ucdavis.edu 

Ibigcat. missouri. edu 
Icac. Washington. edu 
>u me. COM 
.gssc.com 
Shaddock, saa-cons .co.uk 
•cons.co.uk 
:.cc.utexas.edu 
falphasun.anu.edu.au 
lua.oracle.com 
_ Jtscape.com 

Ismtp-gw. spawar. navy. mi 1 
,nl 

^paranoia. com 
^paranoia. com 

Houie. udel. edu 
lrecycle.cebaf.gov 
^oxygen, house. gov 
_ .aubum.edu 
Igoodall.goodall.com 
i.smu.edu 
i. smu.edu 
>comco.com 
Igraphite.comco.com 
Ichar1ie.ksu.ksu.edu 
lUS.DHL.COM 


lo(e> 
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garrison.inatcan.net 
“arc. honeywell. com 
.dnai.com 

giews6.rtpnc.epa.gov 
__ vangogh. rtpnc. epa. gov 
.^.ackbird.mitre. org 
blackbird.mitre.org 
Jicaan. uiowa. edu 
dicaen.uiowa.edu 

__. ins. Cornell. edu 

Ins61.tn.Cornell.edu 
lumich. edu 

tnt. microimages. com 
[pandora. mit. csu. edu. au 
‘ edhcst.com 

andromeda. rutgers. edu 
bu.edu 
r _‘C8 • ubc. ca 
__Joc.cs.ruu.nl 
sunedl. Nswses. Navy. Mi 1 
cse.psu.edu 
MXT.EDU 
Jmit.edu 
(netmarket. com 
Idaristo. tau.ac. il 
tbd.ford.com 
tbdlSO.tbd.ford.com 
lupine.org 
lupine.org 
netscape.com 
[power. net 
IntNet.net 
. edu 
tucar. edu 
_CS.Berkeley.EDU 
Qcs.berkeley.edu 
ee.pdx.edu 
ee.pdx.edu 
MicroUnity.com 
microunity. com 
fx.com 
fx.com 

iNETCOM.COMdsage.cc.r1.ac.ukZ zZ 
Jnetcom. com 
clipper.ens.fr 
meridian-data.com 
^superior.net 
^phoenix, net 
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1 g --Sac idtr ip. alaska. edu 
i^Muwe .ac.uk 

I Hp@cs.vu.nl 

Bgatekeeper. ddp. state. me. us 
bAP e7Sona ^~ roe< ^’ a 'Co.jp 
Keesunl. tamu. edu 
igol.cse.fau.edu 
&lux.levels.unisa.edu.au 
jenrode.nl 
■9bcs.org 
fcsolucorp.qc.ca 
fa@esisys. com 
fcpftlirmm. fr 

^netcom.com 

MRtv.com 

tanftphiber. pry sm. com 
■Bdilbert.multiverse.com 
fcmii.lu.lv 

Mfenether lands, ypsi.xni. us - g 

P33wolverine.hq.cic.net LJi 

■plvtser f. cc. vt. edu 
f@fiyingfox.com 

K kory. SDSU. Edu I “ 

accmail.ceic.go.cn |g 

vnet. IBM . COM 
netcom.com 
ssi.uku.fi ' 
cibc.com 
F@cs. urab. edu 

| :h. cit. Cornell. edu 
>m 
m 
it 

>ronto. edu 

5 sul.hq.af.mil 

jo Id. chem. hawai i. edu 

?w.com 

?w.com 

:ordant.com 

3t@sbil.co.uk 

jr.sw.oz.au 

jr.sw.oz.au 

ede. sw. oz. au 

amsOl.alcatel.com.au 

smsO1.alcatel.oz.au 

imensional.com 

mp.com 

6.cactus.org 

ix.com 

blue. weeg. uiowa. edu 

• com „ 1 c 
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(srd.bt.co.uk 
FTcs.forth.gr 
(Tadpole.COM 
ITsdpole.COM 
(California.sandia.gov 
(znath.psu.edu 
__ istwickdcargill. com 
idakaznai. sps. mot. com 
(znrc-lmb.caxn.ac.uk 
(nist. gov 
(usr.com 
(Soils.Umn.EDU 
(soils.uznn.edu 
Tamer i can tv. com 
Hnorganic5. chem.uf 1. edu 
(inorganic5. fdt.net 
(muikku.jmp.fi 
(iona. ie 
liona. ie 
jt en. At inc. COM 
(kry ten. at inc. com 

(r&6000.cnp.ilstu.edu 
_ iu.ai.mit.edu 
r (telecom, ksu.edu 
(^students.si.£ct.unl.pt 
iSelegant. com 

per s ©marigold, eecs. nwu. edu 
srs0marigold. eecs. nwu. edu 
(concorde.com 
(cue. be. ca 
Icisco.com 

r (helixO. cliem. iastate. edu 
(0navigist.com 
(smartdoca. com 
(thepoint.com 

rezeranskiainformatik. tu-clausthal.de 
_ ilfa.ods.gulfnet.kw 
(hillnet.com 
(netsys. com 

(Heuristicrat.COM 
(etc. com 

:ita.jpl.nasa.gov 
(dee.retix.com 
jicnet.net 
(mig.com 

(earth. bcc. ml. com 
Fssec.honeywell.com 

r tdsamba.cnb.uam.es 
tv7teli.se* 

Idarwin. technet. sg 
(pobox.org.sg 
(stf.org.sg 
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-Jrned&r. com 
_Im-net. arbomet. org 
jalcom. phys. cwru. edu 
Ipoly. phys • cwru. edu 

[raxnon.bgu.ac.il 
peeves, ucsd.edu 

toorlas.com 
lfsdirect.com 
M tar s iar. cv. nrao. edu 
r Jinus.mitre.org 
Hinus.mitre.org 
freedom. NMSU. Edu 
^^jpgahhgo. com 
RHicse. cse. nau. edu 
inbs. nau. edu 
Ipine. cse. nau. edu 
‘ lmit.edu 

jjhy.ucsf.edu 
^lcs.bgsu.edu 

lny p%phu020.ci S . smith.)?line.comSsmithkline 

rjjagpuss.demon.co.uk 

Hiammerl.NeoSoft.com 
■•netscape. com 
^cheetah, llnl. gov 
^soften, ktu.It 
|B Sylvan. COM 
igsylvan.com 
tgphibro.COM 
^gphibro. com 
-—:idga. com 
fisis. st. 3com. com 
Izeus. ST. 3Com. COM 
lentropic. com 
lihs. com 


Hc.net 

^ministry. paranoia. com 
^paranoia. com 
;ac.nyc.ny.us 

IMail.Coast.NET 
^garnet. msen. com 
r Julian.uwo.ca 
Pkcc. empath. on. ca 
' pggnu.ai.mit.edu 
[sneeze. resp-sci. arizona. edu 
ihC8.HARVARD.EDU 
tcsmas.ncsl.nist.gov 

^alpha. dcs. fmph. uniba. sk 
_ (umich.edu 
INDA.COM 


lnda.com 


n 
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Jthepoint. com 
Idir con. co. uk 
,ubc .ca 

telfa.ist.utl.pt 

Usable, ox.ac.uk 
^P^ucssunl. sdsu. edu 

Sae. crixnelab.com 

ltidtest.total.tr 
r Jtidtest.total.fr 
onshore.com 
[tac.com 
u.itac. com 
—lyeager. corp. ACT 1 • com 
Inbtspacb.org 

Inet space. org 
linfoseek.com 
lnetscape.com 
■ fcgandrew.cmu.edu 

Klph® jpmorgan. com 
Jetsys. com 
Ipeyber. com 
Ter t. df n. de 
kJS.UMD.EDU 
Jvaropira. f isons. com 
l®ragnarok.hks.com 

Jral.randomc.com 

^networking, stanford.edu 

iwlb. cpr. itg. telecom, com. au 
Jdandelion.com 
■pftmarcus.its.rpi*® du 
BorrowSCS.YALE.EDU 

,r .5S! 9 inf o^tikfuni-muenchen. da 

—lMlilS^db.?inf ormatik. uni-muenchen 

*p8char iia^cod. bnl. gov 
_;ique. epm. ornl. gov 

Icert. org 

frmedia. mit. edu 
metcom.com 
lxnu.lt ivac. or thane. com 
Jnetbistro.com 
wwo . ohio-state. edu 
Inet.ohio-stata.edu 

ISsStr^ad.. ohio-state. edu 

-iRjat COM^ayfi« ldiIConNet - C0M 

S:t : « 5 . Swf i.ld»i=onne t . com 

^knailhost. ecn. uoknor. edu 
Ipattyr.acs.ohio-state.edu 
Ipattyr. acs. ohio-state. edu 
lnetcom.com Page 18 
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Idumbcat.sf-ca.us 
Odumbcat.sf.ca.us 
9 xnicr omuse .co.uk 
tredhat.com 
3 tky.icdc.fr 

3 tky.icdc.fir , 

^p 9 i! 7 linuxb.ista.pwr.wroc.pi 

9 colurabia.edu 
pinetsys. com 
6 qtac.edu.au 

S tipper.oit.unc.edu 
zang.com 

*9zang. kcc. hawaii. edu 
m zang.kcc.hawaii.edu 
Lp&internie.net 
fc9sol.natl.gov 
K6totale.nokia.fi 

fclsueton. ida. ing. tu-bs. de 
l&mailhost. emap .co.uk 
Kipaston.co.uk 
Barca.md. com 
feapex.ca 
v@cs.su.oz.au 
■Sopcom. ca 
■9ott.opcom.ca 
TCataff.ca.au.oz.au 
touts.EDU.AU 
M8uta.edu.au 
C@uts.edu.au 
■9worldlinx.com 

Wes.adelaide.edu. au 
KflSsgate.com 
PHPTaeka. net 
Kac. edu 
Iftgac.edu 

■tougcs. caltech.edu 

■^maverick, intecom. com 
Bici.uminho.pt 
Snawc 690. chinalake. navy. mi 1 
Binterport. net 
;3lo. com 
PRqwest .be. ca 
■EnGarde. com 
|uic3serve. c3 . lanl. gov 
■engarde. com 
K|te&argus. cu-online ,om 

El typhoon-ether. Berkeley. EDU 
EjpSc s.purdue.edu 
Bvodka. see. att. com 
tovodka.sse•att.com 
Knetrail.net 
■lusa.net 


y* 
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uunet I suburbia. apana. org. au!prof f Smedar. com 
infosoc.com 
fit.qut.edu.au 
stc.nato.int 
ftp.com 

dcdmwm. fzxal. gov 
inficad.com 
ezcal.Valparaiso.cl 
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